CERTIFICATE problem
Hello,
I'm trying to do a TLS auth, and I get an error after user sending his
cert;
Could someone please take a look at the log error, maybe it tels you
more than I understand from it.
Thank you!
ps: the cert that is doing problems is a wimax device certificate.
EAP-Message = 0x010700060d00
Message-Authenticator = 0x
State = 0x3308bf64350fb208895733f1ee92d0aa
Finished request 14.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32792, id=137, length=449
User-Name = {2}0017c4274...@asb.com
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = 00-00-00-00-00-00:
Calling-Station-Id = 00-17-C4-27-4F-00
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020701170d0064f6617958b72c8533fb1a7b14024c0ad059236a6816d7fc7e0744154b8509a42059d21e59ce8eb5c1ecc56859fe27e0cacd495a925f372a36a63245bf4c682c962a5c76808bc58072a902b1d2aaf2e2089db94ccc6bab639b3e3d0fe7ce507aa678646ad0f1c144f02540fabc197bfa6d20fb14ac286637830cb34749ad09c13eb8108dd2d74f114957ffed7eb7fc13f136c5ad2ae3cf72ba01d3c098c1daee398b7def439f63d71e8c3ddf7dcfa30762a1ac05cf28690796629477135c487f65838a3e4b79216cb33b7183015b5d3661605ee72a171403010001011603010030f4dead088c6fd814372bab3e64ed338d9c092cee7195
EAP-Message = 0x2572488de6e84a69ac6b8222da127be264180d403486f70baa24
State = 0x3308bf64350fb208895733f1ee92d0aa
Message-Authenticator = 0x28a0e6f06818284b670729e9df75d99c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm asb.com for User-Name = {2}0017c4274...@asb.com
[suffix] Found realm asb.com
[suffix] Adding Stripped-User-Name = {2}0017C4274F00
[suffix] Adding Realm = asb.com
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] TLS 1.0 Handshake [length 034f], Certificate
-- verify error:num=7:certificate signature failure
[tls] TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - {2}0017c4274...@asb.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 137 to 127.0.0.1 port 32792
EAP-Message = 0x04070004
Message-Authenticator = 0x
Waking up in 1.8 seconds.
Cleaning up request 8 ID 130 with timestamp +14
Waking up in 0.2 seconds.
Cleaning up request 9 ID 131 with timestamp +14
Waking up in 0.3 seconds.
Cleaning up request 10 ID 132 with timestamp +14
Waking up in 0.2 seconds.
Cleaning up request 11 ID 133 with timestamp +15
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OTP autentication to a mobile phone (sometimes called mobile TAN/mTAN)
Hello, we would like to have captive users(authentication portal) authenticated with a one time password (OTP). After entering the user-account at the captive login page, preferably a/the RADIUS server should send the unique autentication number (sometimes called mobile TAN/mTAN or OTP) to the users mobile phone in order to gant access. Is something like that possible with freeradius? Thank's for any feedback. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with udpfromto in version 2.1.1 - please help
Ivan Kalik,
I should note that in my radiusd.conf file, I'm not including eap.conf nor
sites-enabled/, but other than that I have all default settings.
Well done! By removing /sites-enabled you have stopped the server from
processing all As from AAA (authentication, authorization and
accounting) in one masterfull stroke. Now put everything back as it was.
Thanks for the reply. I didn't realize disabling sites-enabled would disable
all AAA services.
Running radiusd -X as root with default settings gives errors related to EAP
and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS
2.1.1). I have OpenSSL 0.9.8h installed.
The radiusd -X output is listed below. Thanks for any comments on this.
Will
gcwifi-auth-vm:~ # radiusd -X
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008
at 13:57:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
Re: Installation Problem
Alan DeKok, I'm getting the same Make error when I try to compile this version (v2.1.3) on openSUSE 11.1 (x64). I took your advice to Marcelo restarted from a fresh source tree, but got the same result both times. The ./configure script ran without errors. Here's a bit more of the output I got. .libs/modules.o: In function `setup_modules': /root/tmp/install/freeradius-server-2.1.3/src/main/modules.c:1037: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' collect2: ld returned 1 exit status Wish I could be of more help. Will Spann From: Alan DeKok al...@deployingradius.com To: marcelo...@comcast.net; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, February 2, 2009 2:41:08 AM Subject: Re: Installation Problem Marcelo Freitas wrote: Hello everybody, I searched the archive but I couldn't find any other topic similar. Can someone help me with the installation of FreeRadius 2.1.3 on my Slackware box ? ... /home/other/freeradius-server-2.1.3/src/main/modules.c:1037: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' Hmm... it looks like some weird libtool issue. I suggest deleting the entire source tree, and re-building from scratch. What OS are you using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OTP autentication to a mobile phone (sometimes called mobile TAN/mTAN)
Verlag Neue Stadt wrote: we would like to have captive users(authentication portal) authenticated with a one time password (OTP). The captive portal is responsible for implementing the login page, and all of the handling of RADIUS client requests. After entering the user-account at the captive login page, preferably a/the RADIUS server should send the unique autentication number (sometimes called mobile TAN/mTAN or OTP) to the users mobile phone in order to gant access. No. The *captive portal* is responsible for this. It should also insert the number into a DB. FreeRADIUS can then query that DB for authentication information. Is something like that possible with freeradius? It has very little to do with FreeRADIUS. You need to configure it to read usernames/passwords from a DB, and you need to configure the captive portal to do everything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Problem
Will D. Spann wrote: I'm getting the same Make error when I try to compile this version (v2.1.3) on openSUSE 11.1 (x64). I took your advice to Marcelo restarted from a fresh source tree, but got the same result both times. The ./configure script ran without errors. Here's a bit more of the output I got. Hm... I'm not sure what to say. This is really a libtool / libltdl problem. It works on all other systems I have access to (*BSD, Linux, MAC...) .libs/modules.o: In function `setup_modules': /root/tmp/install/freeradius-server-2.1.3/src/main/modules.c:1037: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' collect2: ld returned 1 exit status Maybe try downloading the latest stable tree. See git.freeradius.org for instructions on getting it via git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmanager
hi there here is a link for radmanager http://www.dmasoftlab.com/cont/home anyway its not free and i cant see a link for a demo/trial version 2009/2/3 Gunza gunza_...@yahoo.com Anybody have Radius Manager copy of download link. If you have please send me. Thanks, Gunza --- On *Mon, 2/2/09, Mike Strider mstri...@atmc.net* wrote: From: Mike Strider mstri...@atmc.net Subject: radmanager To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Date: Monday, February 2, 2009, 11:30 AM Orion, do you have a link to radmanager? Thanks .. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query on Acct-Status-Type
Hi all, I need to store packets with Acct-Status-Type := Stop only in db 'radacct', rest of the packets needs to be ignored. How to proceed. Plz give suggestion. Note: am using freeradius1.1.6 version. Regards, Ramesh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Will D. Spann wrote: Thanks for the reply. I didn't realize disabling sites-enabled would disable all AAA services. The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
I need to store packets with Acct-Status-Type := Stop only in db 'radacct', rest of the packets needs to be ignored. How to proceed. Plz give suggestion. Note: am using freeradius1.1.6 version. In sql.conf leave only accounting_stop_query_alt and comment out the others. You are aware that this will disable Simultaneous-Use? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
Jonathan Gazeley wrote: Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS expands the username as expected, but why this username never makes it back to the NAS. Does anyone have any ideas? No idea... is there anything else that's over-writing the User-Name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
I'm new at this and I was wondering if anyone can help me out configuring free radius for mac address authentication I need to install a server for mac address authentication, without certificates. I have switch clients and I need authenticate users on these switches for mac (only). It's about 10 000 users on 200 switches in network. The problem is that same switches returns for user: User-Name = 002179a516be and another switches the same user in reverse!!! format: User-Name = eb-61-5a-79-12-00 Should I configure different Users for that? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschav2 can't get connected
Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance. Date: Mon, 2 Feb 2009 14:50:04 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: mschav2 can't get connected saman saman wrote: Hi..Can anyone help me. I can't get client connect to radius server. any suggestion on how to fix it..appreciated. Here the radius output: ... EAP-Message = 0x0101000501Your supplicant is sending an empty identity. This isn't permitted.Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Get rid of those unwanted christmas presents! Get what you want at ebay. http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Frover%2Eebay%2Ecom%2Frover%2F1%2F705%2D10129%2D5668%2D323%2F4%3Fid%3D10_t=763807330_r=hotmailTAGLINES_m=EXT- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschav2 can't get connected
Hi Alan,Appreciated if you could give me some tips how to solve the problem.I ready have not idea why this happen or where did i get wrong..newbie.Thank in advance. What are you using to connect to the AP? Whatever you are using is broken. Fix it or get a new one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
You are aware that this will disable Simultaneous-Use? could you explain me more. At present am using Accounting_stop query and Accounting_stop_alt query for storing stop packets. My routers will be sending packets types of Acct-Status0Type = Start, Stop, Checkpoint, Accounting-On, Accounting-Off, Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, Tunnel-Link-Reject, Failed. However i need to store only the category of Acct-Status-Type == Stop packets. Regards, Ramesh. I need to store packets with Acct-Status-Type := Stop only in db 'radacct', rest of the packets needs to be ignored. How to proceed. Plz give suggestion.Note: am using freeradius1.1.6 version. In sql.conf leave only accounting_stop_query_alt and comment out the others. You are aware that this will disable Simultaneous-Use? Ivan KalikKalik Informatika ISP- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html On Tue, Feb 3, 2009 at 5:17 PM, ramesh p rock786...@gmail.com wrote: Hi all, I need to store packets with Acct-Status-Type := Stop only in db 'radacct', rest of the packets needs to be ignored. How to proceed. Plz give suggestion. Note: am using freeradius1.1.6 version. Regards, Ramesh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
You are aware that this will disable Simultaneous-Use? could you explain me more. If you don't record Start packets you won't be able to detect double (or multiple) logins by the same user. Potentially, one user can pay you and reveal his user/pass to everybody and all of them will be able to connect to your network as they please. If Simultaneous-Use is working only one at the time can connect - they can still share user details but they won't be able to connect in the same time. My routers will be sending packets types of Acct-Status0Type = Start, Stop, Checkpoint, Accounting-On, Accounting-Off, Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, Tunnel-Link-Reject, Failed. There should be Interim-Update on that list as well. Freeradius processes Start, Stop, Update, On and Off by default. However i need to store only the category of Acct-Status-Type == Stop packets. You have done that already: At present am using Accounting_stop query and Accounting_stop_alt query for storing stop packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
No - this is a completely standard FreeRADIUS configuration. Nothing relating to rewriting anything has been changed. In the debug log posted in one of my earlier messages, it appears the FR server sends an Access-Challenge packet from the inner server using my statically set outer ID (testing-jg4461). But immediately after, it reverts to using the original outer ID (qwerty99). Then this username shows in accounting. This doesn't happen when I set the outer ID in the outer server. In that case, the statically set outer ID sticks and appears in accounting. What's the difference between using an identical piece of code in inner or outer servers? Alan DeKok wrote: Jonathan Gazeley wrote: Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS expands the username as expected, but why this username never makes it back to the NAS. Does anyone have any ideas? No idea... is there anything else that's over-writing the User-Name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CERTIFICATE problem
Cristian Novac wrote: I'm trying to do a TLS auth, and I get an error after user sending his cert; Could someone please take a look at the log error, maybe it tels you more than I understand from it. Thank you! ps: the cert that is doing problems is a wimax device certificate. WiMAX mandates certificates signed with SHA hashes. If your version of OpenSSL doesn't support this, it won't work. Build a version of OpenSSL that includes support for SHA digests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
А Гауэрт wrote: I'm new at this and I was wondering if anyone can help me out configuring free radius for mac address authentication I need to install a server for mac address authentication, without certificates. I have switch clients and I need authenticate users on these switches for mac (only). It's about 10 000 users on 200 switches in network. The problem is that same switches returns for user: User-Name = 002179a516be and another switches the same user in reverse!!! format: User-Name = eb-61-5a-79-12-00 Should I configure different Users for that? No. Configure a rule to re-write the first format into the second format. You can use regular expressions for this. See man unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS
expands the username as expected, but why this username never makes it
back to the NAS. Does anyone have any ideas?
Thanks,
Jonathan
Jonathan Gazeley wrote:
I'm running FreeRADIUS 2.1.1.
My config block in the post-auth section of the inner-tunnel server
currently reads:
update outer.reply {
User-Name := testing-%{User-Name}
}
FR does indeed appear to be using this block:
expand: testing-%{User-Name} - testing-jg4461
++[outer.reply] returns ok
Authenticating with outer ID qwerty99 and inner ID jg4461 gives
output as in the attached log, included to give context. The outer
server is uobresnet and the inner one is still called inner-tunnel.
So it seems to me like FR is doing what it is being asked to do, but
maybe this isn't the right thing. Previous tests showed that setting
the outer ID in the uobresnet server does make the NAS use the right
username.
If anyone can shed any light on this, I'd be very grateful.
Thanks,
Jonathan
Alan DeKok wrote:
Jonathan Gazeley wrote:
When added in the inner-tunnel server, this block has no effect on
the
content of the Access-Accept packets (as shown by radiusd -X).
Which version are you running? Is it *using* that entry you added?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
А Гауэрт wrote: I'm new at this and I was wondering if anyone can help me out configuring free radius for mac address authentication I need to install a server for mac address authentication, without certificates. I have switch clients and I need authenticate users on these switches for mac (only). It's about 10 000 users on 200 switches in network. The problem is that same switches returns for user: User-Name = 002179a516be and another switches the same user in reverse!!! format: User-Name = eb-61-5a-79-12-00 Use rlm_attr_rewrite or rlm_perl for that. -- With best regards, Evgeniy Kozhuhovskiy Leader, Services team Minsk State Phone Network, RUE Beltelecom. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Variable for Secret in Request?
Is there a Variable for the shared secret used in the request packets? Thanks, Eric. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jonathan Gazeley wrote:
No - this is a completely standard FreeRADIUS configuration. Nothing
relating to rewriting anything has been changed.
In the debug log posted in one of my earlier messages, it appears the FR
server sends an Access-Challenge packet from the inner server using my
statically set outer ID (testing-jg4461). But immediately after, it
reverts to using the original outer ID (qwerty99). Then this username
shows in accounting.
This doesn't happen when I set the outer ID in the outer server. In that
case, the statically set outer ID sticks and appears in accounting.
What's the difference between using an identical piece of code in inner
or outer servers?
As far as i'm aware this has never worked, which is why I still return
attributes from the inner tunnel and get it that way.
eap {
peap {
use_tunneled_reply = yes
virtual_server = local.user.inner
}
}
server local.user.inner {
post-auth {
#
# Return inner identity to use in final accept
#
update reply {
User-Name := %{Stripped-User-Name}
}
}
}
You can then apply your authorisation policy in post-auth where it
should be already :P .
Alan, If the last round of the EAP conversation didn't require data to
be sent to the inner server the outer.User-Name attribute would just be
discarded right? Or do you store those attributes in the same place you
store the tunneled-reply ?
Arran
Alan DeKok wrote:
Jonathan Gazeley wrote:
Sorry to 'bump' my previous post. I'm at a loss as to why FreeRADIUS
expands the username as expected, but why this username never makes it
back to the NAS. Does anyone have any ideas?
No idea... is there anything else that's over-writing the User-Name?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- --
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmIkB4ACgkQcaklux5oVKJgmgCfYkK6n1qbONnQcaxsETX7F4Gc
mqkAniSb92gQtD8Drb9bQspKGRm44ttC
=zEOg
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variable for Secret in Request?
Eric Geier wrote:
Is there a Variable for the shared secret used in the request packets?
%{client:secret}
*Anything* in the client section can be referenced this way:
clients.conf:
client foo {
ipaddr = 1.2.3.4
secret = testing123
the_beatles = cool
}
authorize, etc.:
if (%{client:the_beatles} == cool) {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
Hey, I am the author of the daloRADIUS project. All that has been said so far is true - you are really lacking some basic knowledge to be able to set it up, and true, the mysql database connection shouldn't really be root but that's another course in security so we won't go diving into that now... I'll join my friend Ivan and advise you to simply post your questions in the daloRADIUS community, it is a great community with many resources for help starting with the very active mailing list, forums, irc and wiki/online guides. I wish you goodluck whatever you choose to continue with... Regards, Liran. On Mon, Feb 2, 2009 at 9:02 PM, Mr Little Crazzy litlle_cra...@hotmail.com wrote: did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radius web managment
I found my error the error was that in the new version of daloradius is a file called config.php o something like that y not a faile called config.conf where i did my config. Date: Tue, 3 Feb 2009 21:19:01 +0200 Subject: Re: radius web managment From: liransgar...@gmail.com To: freeradius-users@lists.freeradius.org Hey, I am the author of the daloRADIUS project. All that has been said so far is true - you are really lacking some basic knowledge to be able to set it up, and true, the mysql database connection shouldn't really be root but that's another course in security so we won't go diving into that now... I'll join my friend Ivan and advise you to simply post your questions in the daloRADIUS community, it is a great community with many resources for help starting with the very active mailing list, forums, irc and wiki/online guides. I wish you goodluck whatever you choose to continue with... Regards, Liran. On Mon, Feb 2, 2009 at 9:02 PM, Mr Little Crazzy litlle_cra...@hotmail.com wrote: did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Permanece actualizado con MSN Noticias. Clic aquí http://noticias.cl.msn.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User account lockout
Is there a way using what ever method to lock out accounts after several bad login attempts? TIA, Damron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User account lockout
Awesome! Thanks for the info. On Tue, Feb 3, 2009 at 6:07 PM, Marinko Tarlac mangi...@gmail.com wrote: Insert failed login attempts in radpostauth table and count them... After that add Auth-Type Reject... SDamron wrote: Is there a way using what ever method to lock out accounts after several bad login attempts? TIA, Damron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Variable for Secret in Request?
Great, thanks!
If sql xlat won't work in the clients file, do you recommend to check
something in particular? I also can't get the mac authentication working
with Calling-Station-ID in the radcheck table...maybe I have something wrong
with my sql on the freeradius machine or with the SQL server.
-Original Message-
From: freeradius-users-bounces+me=egeier@lists.freeradius.org
[mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, February 03, 2009 1:47 PM
To: FreeRadius users mailing list
Subject: Re: Variable for Secret in Request?
Eric Geier wrote:
Is there a Variable for the shared secret used in the request packets?
%{client:secret}
*Anything* in the client section can be referenced this way:
clients.conf:
client foo {
ipaddr = 1.2.3.4
secret = testing123
the_beatles = cool
}
authorize, etc.:
if (%{client:the_beatles} == cool) {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.176 / Virus Database: 270.10.16/1930 - Release Date: 2/2/2009
7:21 PM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius web managment
The file is called daloradius.conf.php There's a file called INSTALL, if you would have done some reading it would have saved you 2 days and the world a couple of hundreds bytes of un-necessary email. Regards, Liran. On Tue, Feb 3, 2009 at 9:37 PM, Mr Little Crazzy litlle_cra...@hotmail.com wrote: I found my error the error was that in the new version of daloradius is a file called config.php o something like that y not a faile called config.conf where i did my config. Date: Tue, 3 Feb 2009 21:19:01 +0200 Subject: Re: radius web managment From: liransgar...@gmail.com To: freeradius-users@lists.freeradius.org Hey, I am the author of the daloRADIUS project. All that has been said so far is true - you are really lacking some basic knowledge to be able to set it up, and true, the mysql database connection shouldn't really be root but that's another course in security so we won't go diving into that now... I'll join my friend Ivan and advise you to simply post your questions in the daloRADIUS community, it is a great community with many resources for help starting with the very active mailing list, forums, irc and wiki/online guides. I wish you goodluck whatever you choose to continue with... Regards, Liran. On Mon, Feb 2, 2009 at 9:02 PM, Mr Little Crazzy litlle_cra...@hotmail.com wrote: did you could configure Daloradius ?? Because i have this error when i try to login Database connection error Error Message: DB Error: connect failed Debug: [nativecode=Access denied for user 'root'@'localhost' (using password: NO)] ** mysql://root:@127.0.0.1/radius Date: Mon, 2 Feb 2009 19:56:27 +0100 Subject: Re: radius web managment From: meshkr...@gmail.com To: freeradius-users@lists.freeradius.org for me daloradius , if you can spend some monety you may go with radmanager ( ~ 99eur ) 2009/2/2 Mr Little Crazzy litlle_cra...@hotmail.com Someone has installed dialup admin or daloradius ?? I have installed diaul up admin , but my problem is that not list the user conecct. Which is the best ?? and someone has an install guide for install each of one ¡Tienes 25 GB gratis para usar en Fotos de Windows Live! Estas vacaciones diviértete sacando fotos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html con Windows Live Messenger comparte fotos mientras charlás. El doble de diversión: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with only some users. Monowall - Freeradius
Hi!!
I have a Monowall athorizing and accounting on a Freeradius 2.1.1
When I execute:
radtest nbati...@dialup.usp.br *** 123.123.123.123 0 's3mf!o/'
I get the folowing answer:
Sending Access-Request of id 177 to 123.123.123.123 port 1812
User-Name = nbati...@dialup.usp.br
User-Password = nat6672
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
rad_recv: Access-Accept packet from host 123.123.123.123 port 1812,
id=177, length=68
Framed-IP-Address = 255.255.255.254
Framed-MTU = 1500
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86400
Framed-IP-Netmask = 255.255.255.0
Idle-Timeout = 3600
Everything works fine. But when I try to login using Monowall login page on
debug mode I have this:
___
rad_recv: Access-Request packet from host 124.124.124.124 port 63026,
id=166, length=150
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/
143.107.192.54/auth-detail-20090203
[auth_log] expand: %t - Tue Feb 3 17:30:54 2009
++[auth_log] returns ok
[suffix] Looking up realm dialup.usp.br for User-Name =
nbati...@dialup.usp.br
[suffix] Found realm dialup.usp.br
[suffix] Adding Realm = dialup.usp.br
[suffix] Proxying request from user nbatista to realm dialup.usp.br
[suffix] Preparing to proxy authentication request to realm dialup.usp.br
++[suffix] returns updated
[sql] expand: %{User-Name} - nbati...@dialup.usp.br
[sql] sql_set_user escaped user -- 'nbati...@dialup.usp.br'
rlm_sql (sql): Reserving sql socket id: 6
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = '
nbati...@dialup.usp.br' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='nbati...@dialup.usp.br' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 6
[sql] User nbati...@dialup.usp.br not found
++[sql] returns notfound
++[pap] returns noop
Sending Access-Request of id 239 to 126.126.126.126 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:Sending Access-Request of id
239 to 143.107.253.10 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
Proxy-State = 0x313636
Going to the next request
Waking up in 0.8 seconds.
Cleaning up request 5 ID 194 with timestamp +9
Waking up in 0.1 seconds.
Waking up in 13.0 seconds.
rad_recv: Access-Reject packet from host 126.126.126.126 port 1812, id=239,
length=82
Reply-Message = \r\nYou are already logged in 2 times - access
denied\r\n\n
Proxy-State = 0x313636
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [nbati...@dialup.usp.br] (from client
gwrp port 83 cli 00:1b:77:b5:34:9d)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Sending Access-Reject of id 166 to 123.123.123.123 port 63026
Reply-Message = \r\nYou are already logged in 2 times - access
denied\r\n\n
Finished request 6.
Going to the next request
Waking up in 4.9
Re: User account lockout
Insert failed login attempts in radpostauth table and count them... After that add Auth-Type Reject... SDamron wrote: Is there a way using what ever method to lock out accounts after several bad login attempts? TIA, Damron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with only some users. Monowall - Freeradius
Looks like some kind of problem with your database. It clears when
you auth against the radtest, but when you try to use a user in the
database, it fails.
On Tue, Feb 3, 2009 at 6:45 PM, Daniel Bojczuk dan...@cirp.usp.br wrote:
Hi!!
I have a Monowall athorizing and accounting on a Freeradius 2.1.1
When I execute:
radtest nbati...@dialup.usp.br *** 123.123.123.123 0 's3mf!o/'
I get the folowing answer:
Sending Access-Request of id 177 to 123.123.123.123 port 1812
User-Name = nbati...@dialup.usp.br
User-Password = nat6672
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
rad_recv: Access-Accept packet from host 123.123.123.123 port 1812,
id=177, length=68
Framed-IP-Address = 255.255.255.254
Framed-MTU = 1500
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86400
Framed-IP-Netmask = 255.255.255.0
Idle-Timeout = 3600
Everything works fine. But when I try to login using Monowall login page on
debug mode I have this:
___
rad_recv: Access-Request packet from host 124.124.124.124 port 63026,
id=166, length=150
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
[auth_log] expand: %t - Tue Feb 3 17:30:54 2009
++[auth_log] returns ok
[suffix] Looking up realm dialup.usp.br for User-Name =
nbati...@dialup.usp.br
[suffix] Found realm dialup.usp.br
[suffix] Adding Realm = dialup.usp.br
[suffix] Proxying request from user nbatista to realm dialup.usp.br
[suffix] Preparing to proxy authentication request to realm dialup.usp.br
++[suffix] returns updated
[sql] expand: %{User-Name} - nbati...@dialup.usp.br
[sql] sql_set_user escaped user -- 'nbati...@dialup.usp.br'
rlm_sql (sql): Reserving sql socket id: 6
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username =
'nbati...@dialup.usp.br' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='nbati...@dialup.usp.br' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 6
[sql] User nbati...@dialup.usp.br not found
++[sql] returns notfound
++[pap] returns noop
Sending Access-Request of id 239 to 126.126.126.126 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:Sending Access-Request of id
239 to 143.107.253.10 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
Proxy-State = 0x313636
Going to the next request
Waking up in 0.8 seconds.
Cleaning up request 5 ID 194 with timestamp +9
Waking up in 0.1 seconds.
Waking up in 13.0 seconds.
rad_recv: Access-Reject packet from host 126.126.126.126 port 1812, id=239,
length=82
Reply-Message = \r\nYou are already logged in 2 times - access
denied\r\n\n
Proxy-State = 0x313636
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [nbati...@dialup.usp.br] (from client
gwrp port 83 cli 00:1b:77:b5:34
Re: Problem with only some users. Monowall - Freeradius
Sorry I didn't understand.
I executed freeradius on debug mode, then I used the radtest command.
The message is almost the same, but the proxy (@dialup,usp.br - another
radius server in another city) returns OK.
Why using radtest it returns OK and using monowall it retorns Reject?
Thanks, sorry about my english.
Daniel
2009/2/3 SDamron sdam...@gmail.com
Looks like some kind of problem with your database. It clears when
you auth against the radtest, but when you try to use a user in the
database, it fails.
On Tue, Feb 3, 2009 at 6:45 PM, Daniel Bojczuk dan...@cirp.usp.br wrote:
Hi!!
I have a Monowall athorizing and accounting on a Freeradius 2.1.1
When I execute:
radtest nbati...@dialup.usp.br *** 123.123.123.123 0 's3mf!o/'
I get the folowing answer:
Sending Access-Request of id 177 to 123.123.123.123 port 1812
User-Name = nbati...@dialup.usp.br
User-Password = nat6672
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
rad_recv: Access-Accept packet from host 123.123.123.123 port 1812,
id=177, length=68
Framed-IP-Address = 255.255.255.254
Framed-MTU = 1500
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Session-Timeout = 86400
Framed-IP-Netmask = 255.255.255.0
Idle-Timeout = 3600
Everything works fine. But when I try to login using Monowall login page
on
debug mode I have this:
___
rad_recv: Access-Request packet from host 124.124.124.124 port 63026,
id=166, length=150
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-
/usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
[auth_log]
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/143.107.192.54/auth-detail-20090203
[auth_log] expand: %t - Tue Feb 3 17:30:54 2009
++[auth_log] returns ok
[suffix] Looking up realm dialup.usp.br for User-Name =
nbati...@dialup.usp.br
[suffix] Found realm dialup.usp.br
[suffix] Adding Realm = dialup.usp.br
[suffix] Proxying request from user nbatista to realm dialup.usp.br
[suffix] Preparing to proxy authentication request to realm
dialup.usp.br
++[suffix] returns updated
[sql] expand: %{User-Name} - nbati...@dialup.usp.br
[sql] sql_set_user escaped user -- 'nbati...@dialup.usp.br'
rlm_sql (sql): Reserving sql socket id: 6
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username =
'nbati...@dialup.usp.br' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority - SELECT GroupName FROM
radusergroup WHERE UserName='nbati...@dialup.usp.br' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 6
[sql] User nbati...@dialup.usp.br not found
++[sql] returns notfound
++[pap] returns noop
Sending Access-Request of id 239 to 126.126.126.126 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:Sending Access-Request of id
239 to 143.107.253.10 port 1812
NAS-IP-Address = 124.124.124.124
NAS-Identifier = gwrp.semfio.usp.br
User-Name = nbati...@dialup.usp.br
User-Password = ***
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 83
Framed-IP-Address = 125.125.125.125
Called-Station-Id = 00:11:2f:75:81:7c
Calling-Station-Id = 00:1b:77:b5:34:9d
Proxy-State = 0x313636
Going to the next request
Waking up in 0.8 seconds.
Cleaning up request 5 ID 194 with timestamp
Re: Problem with only some users. Monowall - Freeradius
I have a Monowall athorizing and accounting on a Freeradius 2.1.1
I have news for you - you don't. Some other server does that. Yours just
proxies requests to it.
[suffix] Looking up realm dialup.usp.br for User-Name =
nbati...@dialup.usp.br
[suffix] Found realm dialup.usp.br
[suffix] Adding Realm = dialup.usp.br
[suffix] Proxying request from user nbatista to realm dialup.usp.br
..
rad_recv: Access-Reject packet from host 126.126.126.126 port 1812, id=239,
length=82
Reply-Message = \r\nYou are already logged in 2 times - access
denied\r\n\n
Proxy-State = 0x313636
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Login incorrect (Home Server says so): [nbati...@dialup.usp.br] (from client
gwrp port 83 cli 00:1b:77:b5:34:9d)
That's the only information of any use on this debug - Home Server says
so!
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
Why have you disabled Post-Auth-Type REJECT on your server?
I understood that there are 2 sessions opened. am I correct?
Maybe. But you need the debug from the home server in order to find out.
If I am how can
I close these sessions?
Again, you can't. If home server didn't get stop packets from your NAS
sessions will need to be removed - in the home server database. If you
are not the administrator of the home server - there is nothing you can
do. Except calling someone who is.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with only some users. Monowall - Freeradius
I executed freeradius on debug mode, then I used the radtest command. The message is almost the same, Almost is the key word here. but the proxy (@dialup,usp.br - another radius server in another city) returns OK. Why using radtest it returns OK and using monowall it retorns Reject? Who knows (actually admin form the home server will know). Most likely it's because NAS request has Called-Station-Id in it. Or it could be NAS-Identifier. Or ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan, The comments in radiusd.conf just before that say that the authorize etc. sections are in virtual hosts, and that the include line includes those virtual hosts. I see; thanks for the clarification. This is a departure from how FreeRADIUS 1.0 was configured, where the authenticate and authorize sections resided in the radiusd.conf file. Running radiusd -X as root with default settings gives errors related to EAP and Diffie-Hellman. I'm running the x64 package from openSUSE 11.1 (FreeRADIUS 2.1.1). I have OpenSSL 0.9.8h installed. Run the bootstrap command as root. Thanks for the suggestion. I ran the /etc/raddb/certs/bootstrap script, and it successfully created the self-signed SSL certificates for EAP. Now the Diffie-Hellman errors have gone away, when I run radiusd -X. At this point I was still getting the remaining EAP-related errors. However, I noticed a new permission denied error, related to SSL in the rlm_eap module. Based on this, I checked the ownership/permissions of the configuration files and keys in the /etc/raddb folder below. It turns out they were all set to root.root r/w for root user only! But the default configuration has radiusd running as the radiusd user, so it couldn't read the files it needed access to. Changing the ownership to root.radiusd and the permissions to r/w for root and read for the radiusd group solved my startup problem. Thanks again. I would never have seen this cause without getting past the SSL key creation issue. Unfortunately, I'm getting the same negative results when running the recommended initial radtest test radtest test test localhost 0 testing123. The following is the output I get. radclient: socket: cannot initialize udpfromto: Function not implemented I'm not sure where to go from here. I'm still running with the default configuration. Thanks for any additional help. Will Spann The abbreviated radiusd -X output I received PRIOR to fixing the ownership/permissions problem is below, for reference. Now radiusd runs without errors. gcwifi-auth-vm:/etc/raddb # radiusd -X FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008 at 13:57:16 [...] rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module eap /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query on Acct-Status-Type
whats the difference between Accounting stop and AcctStatusType=stop? Accounting stop and AcctStatusType=tunnel-stop I need only stop packets. I'm not going to store accounting start packets. If i send accounting stop packets and AcctStatusType=tunnel-stop am receiving it as AcctStatusType=Stop only. why? any reason? my questions are: 1. I need to store/log only Accounting stop packets with AcctStatusType = Stop. If i get a packet of AcctStatusType=Start,Checkpoint,Accounting-On,Accounting-Off,Tunnel-Start,Tunnel-Stop,Tunnel-Reject,Tunnel-Link-Start, Tunnel-Link-Stop, Tunnel-Link-Reject, Failed need to ignore them and not to be stored in db. for this i commented out all the queries(start,update,on,off) except accounting_stop_query and accounting_stop_query_alt. Will this satisfies my requirement? Plz help me. On Tue, Feb 3, 2009 at 9:29 PM, t...@kalik.net wrote: You are aware that this will disable Simultaneous-Use? could you explain me more. If you don't record Start packets you won't be able to detect double (or multiple) logins by the same user. Potentially, one user can pay you and reveal his user/pass to everybody and all of them will be able to connect to your network as they please. If Simultaneous-Use is working only one at the time can connect - they can still share user details but they won't be able to connect in the same time. My routers will be sending packets types of Acct-Status0Type = Start, Stop, Checkpoint, Accounting-On, Accounting-Off, Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, Tunnel-Link-Reject, Failed. There should be Interim-Update on that list as well. Freeradius processes Start, Stop, Update, On and Off by default. However i need to store only the category of Acct-Status-Type == Stop packets. You have done that already: At present am using Accounting_stop query and Accounting_stop_alt query for storing stop packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get value of config item with \\
On Tuesday 03.02.2009 08:42:44 Alan DeKok wrote: - If I reject in pre-proxy my server crashes. No error message or anything, it just exits (see attached debug). Is this a bug? I'm using version 2.1.0. That would be a bug. My first suggestion would be to upgrade rather than trying to track down what's going wrong. I just tested with version 2.1.3 and it works. Thank you for all your help. Regards Matej Vadnjal ARNES - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Variable for Secret in Request?
Eric Geier wrote: If sql xlat won't work in the clients file, What does that mean? do you recommend to check something in particular? I also can't get the mac authentication working with Calling-Station-ID in the radcheck table...maybe I have something wrong with my sql on the freeradius machine or with the SQL server. See the FAQ for it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
